CN104980407A

CN104980407A - Misinformation detecting method and device

Info

Publication number: CN104980407A
Application number: CN201410145545.1A
Authority: CN
Inventors: 赵闽; 朱文祥
Original assignee: Zhuhai Juntian Electronic Technology Co Ltd
Current assignee: Zhuhai Juntian Electronic Technology Co Ltd
Priority date: 2014-04-11
Filing date: 2014-04-11
Publication date: 2015-10-14

Abstract

The invention provides a misinformation detecting method and a misinformation detecting device. The misinformation detecting method comprises the steps as follows: recognizing malicious software; obtaining first information while recognizing the malicious software and transmitting the first information to a cloud end so the cloud end could judge whether the recognition of the malicious software is misinformation according to the first information; receiving a judging result transmitted by the cloud end; determining whether there is the misinformation according to the judging result. The method could judge the misinformation at the cloud end according to the first information that a client recognizes the malicious software, and does not relay the user to initiatively report the misinformation condition so as to detect the misinformation in time.

Description

False alarm detection method and device

Technical Field

The invention relates to the technical field of safety, in particular to a false alarm detection method and device.

Background

The Cloud Security (Cloud Security) technology is the latest embodiment of information Security in the network era, and after the Cloud Security technology is applied, viruses are identified, checked and killed no longer only by relying on a virus library in a local hard disk, but by relying on huge network services, and the collection, analysis and processing are carried out in real time. The antivirus system applying the cloud security technology comprises an antivirus software client (hereinafter referred to as a client) and a cloud, wherein the client is located on user equipment, such as a user computer, a local engine in the client can complete a virus scanning process, steps of reading a file, acquiring a feature code, matching features, judging whether malicious software exists and the like in the scanning process are all completed on the user equipment, and the scanning process is not connected with a network or does not receive information from the cloud and influence the flow. The cloud end is composed of a hardware server and related software, and can receive information of the client end, process the received information and return the processed information to the client end. The client and the cloud can be connected through the Internet and perform information transmission.

During virus scanning, false positives may occur. False alarm refers to the phenomenon that a local engine recognizes normal software as malware. In the related art, the basic flow of discovering false alarm and removing false alarm by antivirus software manufacturers is roughly as follows: the method comprises the steps that a local engine scans files on user equipment, the local engine identifies normal software as malicious software by mistake, the local engine processes the normal software as the malicious software, a user feeds back false reports to an antivirus software manufacturer through a client, the manufacturer verifies the false reports and feeds back, the manufacturer issues upgrade data, the user actively upgrades the antivirus software or the antivirus software is automatically upgraded, and the false reports are removed.

However, in the above technology, antivirus software manufacturers mainly rely on users to actively feed back false alarms to obtain false alarms, and the timeliness of the false alarms is problematic.

Disclosure of Invention

The present invention is directed to solving, at least to some extent, one of the technical problems in the related art.

Therefore, an object of the present invention is to provide a false alarm detection method, which enables a client to timely find a false alarm, so as to timely remove the false alarm.

A second objective of the present invention is to provide a false alarm detection device.

In order to achieve the above object, an embodiment of the invention provides a false alarm detection method, including: identifying malware; acquiring first information when the malicious software is identified, and sending the first information to a cloud end so that the cloud end judges whether the identification of the malicious software is false alarm or not according to the first information; and receiving a judgment result sent by the cloud end, and determining whether false alarm exists according to the judgment result.

In the method for detecting the false alarm provided by the embodiment of the first aspect of the invention, the client side sends the first information to the cloud side after identifying the malicious software, and the cloud side judges whether the false alarm exists according to the first information. Due to the fact that the situation of false alarm does not need to be actively fed back by a user, the cloud end directly carries out false alarm judgment, timeliness of false alarm detection can be improved, and the client can timely remove the false alarm.

In order to achieve the above object, an apparatus for detecting false alarm according to an embodiment of the second aspect of the present invention includes: the identification module is used for identifying malicious software; the acquisition module is used for acquiring first information during malicious software identification and sending the first information to a cloud end so that the cloud end can judge whether the malicious software identification is false alarm or not according to the first information; and the judging module is used for receiving the judging result sent by the cloud end and determining whether the false alarm exists according to the judging result.

In the false alarm detection device provided by the embodiment of the second aspect of the present invention, after identifying malicious software, the client sends the first information to the cloud, and the cloud determines whether a false alarm exists according to the first information. Due to the fact that the situation of false alarm does not need to be actively fed back by a user, the cloud end directly carries out false alarm judgment, timeliness of false alarm detection can be improved, and the client can timely remove the false alarm.

In order to achieve the above object, a client device according to an embodiment of a third aspect of the present invention includes a housing, a processor, a memory, a circuit board, and a power circuit, where the circuit board is disposed inside a space enclosed by the housing, and the processor and the memory are disposed on the circuit board; the power supply circuit is used for supplying power to each circuit or device of the client equipment; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for: identifying malware; acquiring first information when the malicious software is identified, and sending the first information to a cloud end so that the cloud end judges whether the identification of the malicious software is false alarm or not according to the first information; and receiving a judgment result sent by the cloud end, and determining whether false alarm exists according to the judgment result.

The client device provided by the embodiment of the third aspect of the present invention sends the first information to the cloud after recognizing the malware, and the cloud determines whether there is a false alarm according to the first information. Due to the fact that the situation of false alarm does not need to be actively fed back by a user, the cloud end directly carries out false alarm judgment, timeliness of false alarm detection can be improved, and the client can timely remove the false alarm.

Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.

Drawings

The foregoing and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:

FIG. 1 is a flow chart of a false alarm detection method according to an embodiment of the present invention;

FIG. 2 is a flow chart of another false alarm detection method according to an embodiment of the present invention;

FIG. 3 is a flow chart of another false alarm detection method according to an embodiment of the present invention;

FIG. 4 is a flow chart of another false alarm detection method according to an embodiment of the present invention;

FIG. 5 is a flow chart of another false alarm detection method according to an embodiment of the present invention;

FIG. 6 is a flow chart of another false alarm detection method according to an embodiment of the present invention;

FIG. 7 is a schematic structural diagram of a false alarm detection apparatus according to an embodiment of the present invention;

FIG. 8 is a schematic structural diagram of another false alarm detection apparatus according to an embodiment of the present invention;

FIG. 9 is a schematic structural diagram of another false alarm detection apparatus according to an embodiment of the present invention;

FIG. 10 is a schematic structural diagram of another false alarm detection apparatus according to an embodiment of the present invention;

FIG. 11 is a schematic structural diagram of another false alarm detection apparatus according to an embodiment of the present invention;

FIG. 12 is a schematic structural diagram of another false alarm detection apparatus according to an embodiment of the present invention;

FIG. 13 is a schematic structural diagram of another false alarm detection apparatus according to an embodiment of the present invention;

fig. 14 is a schematic structural diagram of another false alarm detection system according to an embodiment of the present invention.

Detailed Description

Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention. On the contrary, the embodiments of the invention include all changes, modifications and equivalents coming within the spirit and terms of the claims appended hereto.

It should be noted that the terms "first," "second," and the like in the description of the present invention are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. In addition, in the description of the present invention, "a plurality" means two or more unless otherwise specified.

Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.

Fig. 1 is a schematic flow chart of a false alarm detection method according to an embodiment of the present invention, as shown in fig. 1, the method includes:

s11: the client identifies malware.

It can be understood that, in the related art, the client may also identify the malware, and therefore, a person skilled in the art can know how to implement the malware identification by the specific client, and the embodiment of the present invention is not described again.

In the related art, the client directly processes the malware according to the malware processing flow after recognizing the malware, but the malware recognized by the client is possibly normal software, that is, false alarm is generated. In the related art, the false alarm requires a user to report to a server through a client. In order to enable the cloud to timely obtain the false alarm, the false alarm detection method of the embodiment of the invention further comprises the following steps after the malicious software is identified:

s12: the client acquires the first information during malicious software identification, and sends the first information to the cloud end, so that the cloud end judges whether the malicious software identification is false alarm or not according to the first information.

The first information includes at least one of:

a hash (hash) value of the malware;

identifying local engine information for the malware;

characteristic information of the malware;

an irreversible Unique User Identifier (UUID) of the client where the malware is located.

The hash value of the malware may be obtained by performing hash operation on a binary file of the malware, and the hash algorithm includes but is not limited to: message Digest Algorithm fifth edition (Message Digest Algorithm, MD 5), Cyclic Redundancy Check (CRC), Secure Hash Algorithm (sha 1), and the like.

The local engine information may be obtained after identifying the local engine, and the local engine information includes: engine name, and/or hit rule Identification (ID), etc.

The feature information of the malware may be obtained by analyzing a binary file of the malware, and the feature information of the malware includes at least one of the following items: file path, file type, file size, etc.

The UUID may be obtained from identification of the client on which the malware is located.

S13: and the client receives the judgment result sent by the cloud and determines whether the false alarm exists according to the judgment result.

For example, when the determination result indicates a false positive, the client may determine that the false positive exists; and when the judgment result shows that the data is not misinformed, the client can determine that no misinformation exists.

The client side of the embodiment sends the first information of the identified malicious software to the cloud side through not directly processing the malicious software after identifying the malicious software, so that the cloud side judges whether the malicious software is a false alarm according to the first information, and the cloud side can timely know whether the false alarm exists.

In the related art, the antivirus software version is upgraded by the server side, and the false alarm can be obtained only after the client side is upgraded. The client of the embodiment can timely know whether the false alarm exists or not by receiving the judgment result of the cloud, and the false alarm can be determined without waiting for the upgrade of the antivirus software. Therefore, the timeliness of the cloud and the client for obtaining the false alarm is improved. In addition, the client can inquire the cloud end after identifying the malicious software and know the judgment result of whether the false alarm exists, so that the client can timely know the false alarm without updating the software, and the delay problem caused by the need of updating is avoided.

Fig. 2 is a flowchart of another false alarm detection method according to an embodiment of the present invention, where the method may further include, after the step S13:

s14: and when the judgment result shows that the malicious software is false alarm, the client does not process the identified malicious software as the malicious software.

That is, the identified malware is normal software and is not sanitized. Or,

s15: and when the judgment result shows that the malicious software is not misinformed, the client processes the identified malicious software as the malicious software.

That is, the identified malware is not normal software and needs to be sanitized.

According to the embodiment, the false alarm can be timely removed when the false alarm exists by processing according to the judgment result.

Fig. 3 is a flowchart of another false alarm detection method according to an embodiment of the present invention, where the method may further include, after the step S13:

s31: when determining that the error report exists, the client records the first information in the false report list.

For example, if it is determined that the first information when there is a false positive is hash value _1, then hash value _1 may be recorded in a false positive list.

S32: and searching a false alarm list when the malware is identified next time, judging whether information when the malware is identified next time is recorded in the false alarm list, if so, executing S33, otherwise, executing S34.

For example, next time malware is identified, information of the malware at that time may also be acquired, for example, a hash value of the malware at that time is acquired.

S33: the identification of the malware at this time is determined directly as a false positive.

For example, the hash value of the malware identified in S32 is hash value _1, and since hash value _1 is recorded in the false alarm list, the malware identification at this time is determined as false alarm, and it is not necessary to perform judgment to the cloud.

S34: and sending the information during the identification of the malicious software to the cloud end, judging by the cloud end, and receiving a judgment result sent by the cloud end.

For example, the information obtained in S32 is hash value _3, and since it is not in the false alarm list, the hash value _3 may be sent to the cloud, so that the cloud determines whether to make a false alarm.

Further, assuming that the result of cloud feedback is a false alarm, the hash value _3 may also be recorded in a false alarm list for subsequent detection and search.

In the embodiment, after the client side knows the false alarm, the first information is recorded for reference of subsequent detection.

It can be understood that the client may also perform other operations after learning the false alarm, for example, the client performs software upgrading processing when determining that there is a false alarm.

In the related art, because the upgrade depends on the autonomy of a user or the upgrade date set by the antivirus software, the false alarm cannot be timely upgraded when occurring, and the false alarm cannot be timely relieved. In the embodiment, the software is upgraded after the false alarm occurs, so that the software can be upgraded in time, and the false alarm can be solved in time.

According to the embodiment, when the fact that the false alarm exists is known, the information of the false alarm is recorded, a foundation can be provided for follow-up detection, the cloud end is prevented from being inquired every time, and the resource overhead can be reduced.

Fig. 4 is a schematic flow chart of another false alarm detection method according to an embodiment of the present invention, as shown in fig. 4, the method includes:

s41: the method comprises the steps that a cloud end receives first information sent by a client, wherein the first information is information obtained when the client identifies malicious software;

the first information includes at least one of:

a hash (hash) value of the malware;

identifying local engine information for the malware;

characteristic information of the malware;

S42: the cloud judges whether the identification of the client to the malicious software is false alarm or not according to the first information;

s43: and the cloud end sends the judgment result to the client end so that the client end can determine whether the false alarm exists according to the judgment result.

As in the above embodiments, after receiving the determination result, the client may determine whether there is a false alarm according to the determination result, and may further perform corresponding processing. For details, reference may be made to the above embodiments, which are not described herein again.

Optionally, a false alarm determination rule base is set at the cloud end, so as to perform the above false alarm determination.

Correspondingly, fig. 5 is a schematic flow chart of another false alarm detection method provided in the embodiment of the present invention, where the method includes:

s51: the method comprises the steps that a cloud end receives first information sent by a client, wherein the first information is information obtained when the client identifies malicious software.

See S41 for details, which are not described herein.

S52: and the cloud end sets a false alarm determination rule base, and rules belonging to false alarms are recorded in the false alarm determination rule base.

For example, the false alarm rule base may record that the malicious software is a false alarm when the hash value of the malicious software is a certain set hash value; and/or, when the local engine information is set certain local engine information, the local engine information is false alarm and the like.

S53: and when the first information meets the rules recorded in the false alarm determination rules, the cloud end determines that the malicious software is identified as false alarm.

Wherein the first information and/or the rule pertaining to false alarm includes at least one of:

a hash value of the malware;

identifying local engine information for the malware;

characteristic information of the malware;

and the irreversible unique user identification of the client where the malicious software is located.

Correspondingly, when the first information is the same as the rule belonging to the false alarm, the first information is determined to meet the rule recorded in the false alarm judgment rule.

For example, the false positive decision rule base records: if the file identified by the a1 rule of the local engine a is a false positive, when the first information reported by the client and received by the cloud includes local engine information, the local engine information includes an engine number and a hit rule identifier, and the engine number is a and the hit rule identifier is a1, it is determined that the identification of the client to the malicious software is a false positive. Or, recording in a false alarm judgment rule base: if the file with the hash value x is a false alarm, when the first information reported by the client and received by the cloud includes the identified hash value of the malicious software, and the hash value x is the false alarm, the identification of the client to the malicious software at the moment is determined.

S54: and the cloud end sends the judgment result to the client end so that the client end can determine whether the false alarm exists according to the judgment result.

The cloud terminal of the embodiment can receive first information sent by the client terminal after identifying the malicious software, and carries out judgment of false alarm according to the first information and feeds back a judgment result to the client terminal. Therefore, the client can timely know whether the false alarm exists or not, and further can timely remove the false alarm.

In the related art, a virus killer needs to screen out relatively urgent important false alarms from the feedback according to the false alarm condition fed back by each user for priority processing. Due to the fact that timeliness of the user feedback false alarm is not enough, the urgent important false alarm cannot be processed in time, and the urgent important false alarm is delayed. Therefore, as shown in fig. 6, the present invention further provides an embodiment to solve the problem of delaying urgent important false alarm in the related art.

Fig. 6 is a schematic flow chart of another false alarm detection method provided in the embodiment of the present invention, including:

s61: the method comprises the steps that a cloud end receives first information sent by a client, wherein the first information is information obtained when the client identifies malicious software;

s62: a cloud end sets a false alarm determination rule base, and rules belonging to false alarms are recorded in the false alarm determination rule base;

s63: and when the first information meets the rules recorded in the false alarm determination rules, the cloud end determines that the malicious software is identified as false alarm.

S64: and the cloud end sends the judgment result to the client end so that the client end can determine whether the false alarm exists according to the judgment result.

For details, see S51-S54, which are not described herein.

S65: the cloud end distinguishes emergency false alarm and non-emergency false alarm;

the cloud end can be provided with a malicious software information base for recording statistical information obtained according to first information fed back by each client end, for example, the number of the client ends infected with the same malicious software can be obtained, and then the cloud end can be distinguished according to the statistical information; and/or the presence of a gas in the gas,

the cloud end can be provided with a user feedback false alarm information base, wherein the false alarm condition fed back by each user is recorded, for example, the number of clients infected with the same malicious software can be obtained according to the false alarm condition fed back by the user, and then the cloud end can distinguish according to the number of the users. Alternatively, the user may feedback the nature of the identified malware and differentiate based on that nature.

That is, S65 may specifically include:

counting the first information sent by each client, and distinguishing urgent false alarms from non-urgent false alarms according to a counting result; and/or the presence of a gas in the gas,

and acquiring the false alarm condition fed back by the user, and distinguishing an emergency false alarm and a non-emergency false alarm according to the false alarm condition fed back by the user.

Further, the first information includes information of identified malware and information of clients, and the sending of each client to the first information is counted, and an urgent false alarm and a non-urgent false alarm are distinguished according to a statistical result, including:

determining the number of the clients recognizing the same malicious software according to the first information sent by each client;

determining that the identification of the malware is an urgent false positive when the number is greater than a preset threshold.

Wherein the preset threshold may be 10 ten thousand households per day.

In another embodiment, the obtaining of the false alarm condition fed back by the user and distinguishing an urgent false alarm and a non-urgent false alarm according to the false alarm condition fed back by the user includes:

acquiring the false alarm condition fed back by each user, and determining the number of users feeding back the same malicious software;

and when the number of users is larger than a preset threshold value, determining that the identification of the malicious software is an emergency false alarm.

Wherein, the preset threshold value can be 10 ten thousand households per day.

and distinguishing emergency false reports from non-emergency false reports according to the software property of the false reports fed back by the user.

Specifically, the distinguishing between the urgent false alarm and the non-urgent false alarm according to the software property of the false alarm fed back by the user may include:

and when the false alarm software fed back by the user is the software necessary for system operation, determining the false alarm of the software necessary for system operation as an emergency false alarm.

The system running necessary software is windows system files, for example.

S66: the cloud preferentially verifies the emergency false alarm, and updates a rule corresponding to the emergency false alarm to the false alarm determination rule base after verification.

Wherein the verification of false positives can be based on static code analysis, and/or dynamic behavior analysis.

For example, a section of static code is written, the static code can acquire a range infected with the same malware within a certain period of time, and if the range exceeds a preset value, the range can be verified as false alarm; alternatively, an increased number of users infected with the same malware over a period of time is obtained by dynamic behavior and can be verified as false positives if the number exceeds a predetermined value. This is because the virus is not usually found due to a large infection range or an increased infection amount, and certainly, the virus may be found in a large-scale outbreak in this case, and for this reason, further verification may be performed later, and specific content may adopt a virus verification process in the related art, which is not described in detail in this embodiment.

After the client is verified as false alarm, the first information sent when the client identifies the malicious software at the moment can be updated into a false alarm judgment rule base so as to be used as reference for subsequent detection.

For example, the hash value in the original false alarm determination rule base does not include y, but software whose hash value is y is verified as false alarm, y can be updated to the false alarm determination rule base, and when the hash value of malicious software identified by the client is y next time, the updated false alarm determination rule base can determine that the malicious software is false alarm according to the updated false alarm determination rule base.

In this embodiment, the cloud has information of all malware recognized by the client, so that under the condition that no user feedback exists or the user does not timely feed back, an emergency false alarm can be distinguished in time by analyzing the first information reported by the client, and delay of the emergency false alarm is avoided.

Fig. 7 is a schematic structural diagram of an apparatus for false alarm detection according to an embodiment of the present invention, where the apparatus 70 includes an identification module 71, an acquisition module 72, and a determination module 73.

The identification module 71 is used for identifying malware;

the obtaining module 72 is configured to obtain first information obtained when the malware is identified, and send the first information to a cloud, so that the cloud determines whether the malware is identified by false alarm according to the first information;

the determination module 73 is configured to receive a determination result sent by the cloud, and determine whether there is a false alarm according to the determination result.

In an embodiment, it can be understood that, in the related art, the client may also identify the malware, and therefore, a person skilled in the art can know how to implement the identification of the malware by the specific identification module 71, and details of the embodiment of the present invention are not described again.

In the related art, the client directly processes the malware according to the malware processing flow after recognizing the malware, but the malware recognized by the client is possibly normal software, that is, false alarm is generated. In the related art, the false alarm requires a user to report to a server through a client. In order to enable the cloud to timely obtain the false alarm, the false alarm detection apparatus according to the embodiment of the present invention further includes the above-mentioned obtaining module 72 and the determining module 73 after identifying the malware.

A correspondence obtaining module 72, wherein the first information includes at least one of:

a hash (hash) value of the malware;

identifying local engine information for the malware;

characteristic information of the malware;

The corresponding determining module 73, for example, when the determination result indicates a false alarm, the client may determine that the false alarm exists; and when the judgment result shows that the data is not misinformed, the client can determine that no misinformation exists.

The client side of the embodiment sends the first information of the identified malicious software to the cloud side instead of directly processing the malicious software after identifying the malicious software, so that the cloud side judges whether the malicious software is a false alarm according to the first information, and can timely know whether the false alarm exists or not

Fig. 8 is a schematic structural diagram of another false alarm detection apparatus provided in the embodiment of the present invention, and the apparatus further includes, on the basis of the embodiment described in fig. 7: a processing module 74.

A processing module 74, configured to, when the determination result received by the determining module 73 indicates a false alarm, not process the identified malware as malware, that is, the identified malware is normal software and does not perform antivirus processing; and/or when the judgment result received by the judgment module indicates non-false alarm, the identified malicious software is treated as malicious software, that is, the identified malicious software is not normal software and needs to be subjected to antivirus treatment.

Fig. 9 is a schematic structural diagram of another false alarm detection apparatus according to an embodiment of the present invention, which further includes a recording module 75, a first search module 76, and a second search module 77 based on the configuration shown in fig. 7.

The recording module 75 is configured to record the first information in a false positive list when the determining module 73 determines that there is a false positive.

The first searching module 76 is configured to search the false alarm list when malicious software is identified next time, and directly determine the malicious software identified next time as false alarm if information when malicious software is identified next time is in the false alarm list.

For example, the hash value of the malware identified next time is hash value _1, and since hash value _1 is recorded in the false alarm list, the malware identified this time is determined as false alarm, and it is not necessary to perform judgment to the cloud.

The second searching module 77 is configured to search the false alarm list when malicious software is identified next time, and send information when malicious software is identified next time to the cloud if the information when malicious software is identified next time is not in the false alarm list, so that the cloud performs false alarm judgment.

For example, the information acquired when the malware is identified next time is the hash value _3, and since the information is not in the false alarm list, the hash value _3 can be sent to the cloud, and the cloud determines whether the malware is false-reported.

The embodiment can find the false alarm in time next time by recording the false alarm condition.

Fig. 10 is a schematic structural diagram of another false alarm detection apparatus according to an embodiment of the present invention, which further includes an upgrade module 76 based on that shown in fig. 7.

The upgrade module 76 is configured to perform software upgrade processing when the determination module 73 determines that there is a false alarm.

Fig. 11 is a schematic structural diagram of another false alarm detection apparatus according to an embodiment of the present invention, where the apparatus 110 includes a receiving module 111, a determining module 112, and a sending module 113.

The receiving module 111 is configured to receive first information sent by a client, where the first information is information obtained when the client identifies malware;

the judging module 112 is configured to judge whether the identification of the client to the malware is a false report according to the first information received by the receiving module 111;

the sending module 113 is configured to send the determination result obtained by the determining module 112 to the client, so that the client determines whether there is a false alarm according to the determination result.

In one embodiment, the first information comprises at least one of:

a hash (hash) value of the malware;

identifying local engine information for the malware;

characteristic information of the malware;

The hash value of the malware may be obtained by performing hash operation on a binary file of the malware, and the hash algorithm includes but is not limited to: message Digest Algorithm fifth edition (Message Digest Algorithm, MD 5), Cyclic Redundancy Check (CRC), Secure Hash Algorithm (sha 1), and the like. The local engine information may be obtained after identifying the local engine, and the local engine information includes: engine name, and/or hit rule Identification (ID), etc.

Optionally, referring to fig. 12, the apparatus may further include: and a setting module 114, configured to set a false alarm determination rule base, where rules belonging to false alarms are recorded.

Correspondingly, the determining module 112 is specifically configured to: and when the first information meets the rules recorded in the false alarm determination rules, determining that the malicious software is identified as false alarm.

In one embodiment, the first information and/or the rule pertaining to false alarm includes at least one of:

a hash value of the malware;

identifying local engine information for the malware;

characteristic information of the malware;

In the related art, a virus killer needs to screen out relatively urgent important false alarms from the feedback according to the false alarm condition fed back by each user for priority processing. Due to the fact that timeliness of the user feedback false alarm is not enough, the urgent important false alarm cannot be processed in time, and the urgent important false alarm is delayed. Therefore, as shown in fig. 13, the present invention further provides an embodiment to solve the problem of delaying urgent important false alarm in the related art.

Fig. 13 is a schematic structural diagram of another false alarm detection apparatus according to an embodiment of the present invention, which further includes a distinguishing module 115 and an updating module 116 based on fig. 11.

The distinguishing module 115 is used for distinguishing urgent false alarms from non-urgent false alarms;

Namely, the distinguishing module may include:

the first unit is used for counting the first information sent by each client and distinguishing urgent false alarms from non-urgent false alarms according to the counting result; and/or the presence of a gas in the gas,

and the second unit is used for acquiring the false alarm condition fed back by the user and distinguishing emergency false alarms and non-emergency false alarms according to the false alarm condition fed back by the user.

Further, the first information includes information of the identified malware and information of the client, and the first unit is specifically configured to:

In one embodiment, the second unit is specifically configured to:

Wherein, the preset threshold value can be 10 ten thousand households per day.

In one embodiment, the second unit is specifically configured to: and distinguishing emergency false reports from non-emergency false reports according to the software property of the false reports fed back by the user.

Further, the second unit is specifically configured to: and when the false alarm software fed back by the user is the software necessary for system operation, determining the false alarm of the software necessary for system operation as an emergency false alarm.

The system running necessary software is windows system files, for example.

The updating module 116 is configured to preferentially verify the emergency false alarm, and update a rule corresponding to the emergency false alarm to the false alarm determination rule base after verification.

Fig. 14 is a schematic structural diagram of a false alarm detection system according to an embodiment of the present invention, where the system 140 includes a client device 141 and a cloud device 142.

The client device 141 may be as described in any of fig. 7 to 10, and the cloud device 142 may be as described in any of fig. 11 to 13. And will not be described in detail herein.

The client side of the embodiment is not directly used as malicious software to process after recognizing the malicious software, but sends first information when recognizing the malicious software to the cloud side, so that the cloud side judges whether the first information is a false alarm or not, on one hand, the cloud side can timely know whether the false alarm exists or not, on the other hand, the client side can also timely know whether the false alarm exists or not by receiving a judgment result of the cloud side, and the client side does not need to wait for the upgrade of antivirus software to determine the false alarm. Therefore, the timeliness of the cloud and the client for obtaining the false alarm is improved. In addition, the client can inquire the cloud end after identifying the malicious software and know the judgment result of whether the false alarm exists, so that the client can timely know the false alarm without updating the software, and the delay problem caused by the need of updating is avoided. The cloud terminal of the embodiment can receive first information sent by the client terminal after identifying the malicious software, and carries out judgment of false alarm according to the first information and feeds back a judgment result to the client terminal. Therefore, the client can timely know whether the false alarm exists or not, and further can timely remove the false alarm.

The embodiment of the invention also provides client equipment which comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power circuit for supplying power to each circuit or device of the client device; the memory is used for storing executable program codes; the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the steps of:

s11': malware is identified.

s12': and acquiring the first information during the identification of the malicious software, and sending the first information to a cloud end so that the cloud end judges whether the identification of the malicious software is a false report or not according to the first information.

The first information includes at least one of:

a hash (hash) value of the malware;

identifying local engine information for the malware;

characteristic information of the malware;

S13': and receiving a judgment result sent by the cloud end, and determining whether false alarm exists according to the judgment result.

In one embodiment, the processor may further perform the steps of:

s14': and when the judgment result shows that the malicious software is false alarm, the identified malicious software is not treated as the malicious software.

That is, the identified malware is normal software and is not sanitized. Or,

s15': and when the judgment result shows that the malicious software is not misinformed, processing the identified malicious software as the malicious software.

In one embodiment, the processor may further perform the steps of:

s31': when it is determined that there is a false positive, first information is recorded in a false positive list.

For example, if it is determined that the first information when there is a false alarm is the hash value _1, the hash value _1 may be recorded, and when the malware identified next time is the hash value _1, it may be directly determined as a false alarm. For example, if it is determined that the first information when there is a false positive is hash value _1, then hash value _1 may be recorded in a false positive list.

S32': and searching a false alarm list when the malware is identified next time, judging whether information when the malware is identified next time is recorded in the false alarm list, if so, executing S33, otherwise, executing S34.

S33': the identification of the malware at this time is determined directly as a false positive.

For example, the hash value of the malware identified in S32' is hash value _1, and since hash value _1 is recorded in the false alarm list, the malware identification at this time is determined as false alarm, and it is not necessary to perform judgment to the cloud.

S34': and sending the information during the identification of the malicious software to the cloud end, judging by the cloud end, and receiving a judgment result sent by the cloud end.

For example, the information obtained in S32' is the hash value _3, and since it is not in the false alarm list, the hash value _3 may be sent to the cloud, so that the cloud determines whether to make a false alarm.

The embodiment of the invention also provides the cloud equipment which comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; the power supply circuit is used for supplying power to each circuit or device of the cloud equipment; the memory is used for storing executable program codes; the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the steps of:

s41': receiving first information sent by a client, wherein the first information is information acquired when the client identifies malicious software;

the first information includes at least one of:

a hash (hash) value of the malware;

identifying local engine information for the malware;

characteristic information of the malware;

S42': judging whether the identification of the client to the malicious software is false alarm or not according to the first information;

S43': and sending the judgment result to the client so that the client determines whether the false alarm exists according to the judgment result. As in the above embodiments, after receiving the determination result, the client may determine whether there is a false alarm according to the determination result, and may further perform corresponding processing. For details, reference may be made to the above embodiments, which are not described herein again.

In one embodiment, the processor is specifically configured to perform the following steps:

s51': receiving first information sent by a client, wherein the first information is information acquired when the client identifies malicious software.

See S41' for details, which are not described herein.

S52': and setting a false alarm judgment rule base, wherein rules belonging to false alarms are recorded in the false alarm judgment rule base.

S53': and when the first information meets the rules recorded in the false alarm determination rules, determining that the malicious software is identified as false alarm.

a hash value of the malware;

identifying local engine information for the malware;

characteristic information of the malware;

S54': and sending the judgment result to the client so that the client determines whether the false alarm exists according to the judgment result. As in the above embodiments, after receiving the determination result, the client may determine whether there is a false alarm according to the determination result, and may further perform corresponding processing. For details, reference may be made to the above embodiments, which are not described herein again.

In the related art, a virus killer needs to screen out relatively urgent important false alarms from the feedback according to the false alarm condition fed back by each user for priority processing. Due to the fact that timeliness of the user feedback false alarm is not enough, the urgent important false alarm cannot be processed in time, and the urgent important false alarm is delayed. Therefore, the invention also provides an embodiment to solve the problem of delaying urgent important false alarm in the related art.

s61': the method comprises the steps that a cloud end receives first information sent by a client, wherein the first information is information obtained when the client identifies malicious software;

s62': a cloud end sets a false alarm determination rule base, and rules belonging to false alarms are recorded in the false alarm determination rule base;

s63': and when the first information meets the rules recorded in the false alarm determination rules, the cloud end determines that the malicious software is identified as false alarm.

S64': and the cloud end sends the judgment result to the client end so that the client end can determine whether the false alarm exists according to the judgment result.

For details, see S51 'to S54', which are not described herein.

S65': the cloud end distinguishes emergency false alarm and non-emergency false alarm;

Namely, S65' may specifically include:

Wherein the preset threshold may be 10 ten thousand households per day.

Wherein, the preset threshold value can be 10 ten thousand households per day.

The system running necessary software is windows system files, for example.

S66': the cloud preferentially verifies the emergency false alarm, and updates a rule corresponding to the emergency false alarm to the false alarm determination rule base after verification.

It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.

It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.

In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.

The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.

In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims

1. A method of false positive detection, comprising:

identifying malware;

acquiring first information when the malicious software is identified, and sending the first information to a cloud end so that the cloud end judges whether the identification of the malicious software is false alarm or not according to the first information;

and receiving a judgment result sent by the cloud end, and determining whether false alarm exists according to the judgment result.

2. The method of claim 1, further comprising:

when the judgment result shows that the malicious software is false alarm, the identified malicious software is not treated as malicious software; and/or the presence of a gas in the gas,

and when the judgment result shows that the malicious software is not misinformed, processing the identified malicious software as the malicious software.

3. The method of claim 1, further comprising:

and when the error report is determined to exist, recording the first information in a false report list.

4. The method of claim 3, further comprising:

and searching in the false alarm list when the malicious software is identified next time, and if the information when the malicious software is identified next time is in the false alarm list, directly determining the malicious software identified next time as false alarm.

5. The method of claim 3, further comprising:

and searching in the false alarm list when malicious software is identified next time, and if the information when the malicious software is identified next time is not in the false alarm list, sending the information when the malicious software is identified next time to the cloud end so as to carry out false alarm judgment on the cloud end.

6. The method of claim 1, further comprising:

and when the error report is determined, carrying out software upgrading treatment.

7. The method according to any one of claims 1 to 6, wherein the first information comprises at least one of:

a hash value of the malware;

identifying local engine information for the malware;

characteristic information of the malware;

8. The method according to claim 7, wherein when the first information is a hash value of the malware, the obtaining the first information when the malware is identified comprises:

and carrying out hash operation on the binary file of the malicious software to obtain a hash value of the malicious software.

9. The method of claim 8, wherein the hash operation comprises:

performing MD5 operation; or,

CRC operation; or,

the Sha1 operation.

10. The method of claim 7, wherein the local engine information comprises:

the engine name of the local engine, and/or the hit rule identification.

11. The method of claim 7, wherein the characteristic information of the malware comprises at least one of:

file path, file type, file size.

12. A false positive detection device, comprising:

the identification module is used for identifying malicious software;

the acquisition module is used for acquiring first information during malicious software identification and sending the first information to a cloud end so that the cloud end can judge whether the malicious software identification is false alarm or not according to the first information;

and the judging module is used for receiving the judging result sent by the cloud end and determining whether the false alarm exists according to the judging result.

13. The apparatus of claim 12, further comprising:

the processing module is used for processing the identified malicious software not as malicious software when the judgment result received by the judging module indicates false alarm; and/or when the judgment result received by the judgment module indicates non-false alarm, the identified malicious software is treated as malicious software.

14. The apparatus of claim 12, further comprising:

and the recording module is used for recording the first information in a false alarm list when the judging module determines that the false alarm exists.

15. The apparatus of claim 14, further comprising:

and the first searching module is used for searching in the false alarm list when the malicious software is identified next time, and directly determining the malicious software identified next time as false alarm if the information when the malicious software is identified next time is in the false alarm list.

16. The apparatus of claim 14, further comprising:

and the second searching module is used for searching in the false alarm list when malicious software is identified next time, and sending the information when the malicious software is identified next time to the cloud if the information when the malicious software is identified next time is not in the false alarm list, so that the cloud carries out false alarm judgment.

17. The apparatus of claim 12, further comprising:

and the upgrading module is used for upgrading the software when the judging module determines that the error report exists.

18. The apparatus according to any one of claims 12 to 17, wherein the first information acquired by the acquiring module comprises at least one of:

a hash value of the malware;

identifying local engine information for the malware;

characteristic information of the malware;

19. The apparatus according to claim 18, wherein when the first information is a hash value of the malware, the obtaining module is specifically configured to:

20. The apparatus of claim 19, wherein the hash operation comprises:

performing MD5 operation; or,

CRC operation; or,

the Sha1 operation.

21. The apparatus of claim 18, wherein the local engine information comprises:

the engine name of the local engine, and/or the hit rule identification.

22. The apparatus of claim 18, wherein the characteristic information of the malware comprises at least one of:

file path, file type, file size.